This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped packet from legitimate RDP connection

Hello:

Below is one of 9 dropped events from a legitimate employee making a RDP connection to a Terminal Server. Why would he be dropped?

One strange thing I notice is that the legitimate packet has the same srcmac as some other nefarious attempts to connect. Is this the MAC of the nearest router (so that the good and bad are tagged the same)?

2012:10:01-10:29:06 net ulogd[5536]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:24:c4:27:44[:D]9" dstmac="0:1a:8c:12:a7:65" srcip="99.239.***.***" dstip="184.71.***.***" proto="6" length="40" tos="0x00" prec="0x00" ttl="116" srcport="49606" dstport="3389" tcpflags="RST"

Tom

This thread was automatically locked due to age.

0 BarryG over 12 years ago

Hi,

1. everything will always have the MAC address of the router. That's how ethernet works. Ignore the MAC.
(MACs are shown to help identify LAN machines)

2. It's a RST that's dropped, not a SYN, so this isn't necessarily a problem; it could just be a connection that timed out.

Barry
Cancel
Vote Up 0 Vote Down

Cancel